Meyers’ team at CrowdStrike compiled a startling amount of information about Chen Ping (who happens to have a very common name), the alleged member of Unit 61486. CrowdStrike first looked at remote web domains being used to direct and control malware on infected computers. The web domains had to be registered, and the team found that many of the domains were registered under the same email addresses. One registered at least a half-dozen of the website domain names; someone with another email address registered several as well.

The big find, however, was a certain “cpyy” — operating with two major email providers — who had registered a large number of the remote malware-control domains. The CrowdStrike team cast a wide net to find cpyy, trailing the nom de guerre to a personal blog by a registrant named Chen. Chen’s blog profile, all in Chinese, stated he was born on May 25, 1979, and that he worked for the “military/police.” Another cpyy blog listed the identical birthdate and noted that the user lived in Shanghai. The blog said, “Soldier’s duty is to defend the country, as long as our country is safe, our military is excellent.” Meyers’ team was fairly certain it was the same Chen, given that same handle appeared repeatedly, but they needed more evidence to connect him to the PLA.

Sifting through the public records that connected Chen’s online profiles, the team found photos he posted. He shot with a Nikon, CrowdStrike said. He had a Google Picasa album with some of the same pictures in his blog post. Photos captioned “me” showed a young man with a bemused smile, laughing in a tent with a friend, doing pull-ups in front of a group of soldiers and playing guitar in a field. He took artistic photographs of objects in what he called “office.” According to Meyers, the photos revealed Chen was not just one hacker acting alone: in one, PLA hats were stacked in the background, and another photo of satellite dishes in his album “office” indicated ties to army signals intelligence. [Source]